Building an Advanced Mail Server, Part 3

A bad side effect of email has been the rapid spread of viruses and
spam, both of which are illegal in one form or another these days. However,
this doesn't stop virus writers or spam moguls from doing what they do. This
means that it's up to our mail server to protect our users from such
things.

Luckily, great applications can help us in our fight against spam and
viruses. For spam protection we will, of course, be using SpamAssassin. For virus protection, we will be using Qmail-Scanner and ClamAV.

SpamAssassin is a lifesaver in my daily life. Every day, it catches about 48 messages before they hit
my inbox. Because I don't send a message to the recipients, I'm not sure how
many viruses are stopped by Qmail-Scanner, but I'm sure more than a few have
been rejected.

SpamAssassin

SpamAssassin is available for most Linux distributions. If you can't find a
package for your distribution, you must install from the source. You can find
more information in SpamAssassin's INSTALL file. You will most likely also want to install Razor, which SpamAssassin can also
use. Debian users can apt-get the package spamassassin.

After you have SpamAssassin up and running, you need to create some procmail
rules and edit your domain's .qmail files. First, let's create a
procmail file with our spam recipes. Please remember that any recipes in this
file are global for the entire virtual domain. Also, I use a program called safecat to properly place messages into my Maildir folders.

I'm no procmail wizard, but this file works for me without any major
problems. I use the call to spam.sh to check and see if the spam
directory exists. If it doesn't, I create it. I've reproduced the script
below.

Now that your procmailrc is all set up and working, you can
enable it in your .qmail files. To do this, you need to go to your
virtual domain directory and change a line in the .qmail-default
file.

bash$ cd /var/lib/vpopmail/domains/example1.com

Open .qmail-default in your favorite editor and delete the only
line in there. Replace it with | preline procmail -p -m ./procmailrc. Once that is done, send yourself a test email. View all headers in your favorite MUA and you should see something like
this:

You will notice that my spam level is set to 5.0. If you are running an ISP
or have a lot of users who get business-type email, you may wish to raise this.
The magic number appears to be somewhere between 7 and 8.5. To change your
settings, open up /var/lib/vpopmail/.spamassassin/user_prefs and
change the required_hits variable appropriately. You can also
change the individual scores for each test SpamAssassin checks. First, look
over the list of tests
and then simply add the alternate scores to vpopmail's user_prefs
file.

Qmail-Scanner and ClamAV

Before you attempt to install Qmail-Scanner, you must have compiled your
Qmail with Bruce Guenter's QMAILQUEUE patch. If you
don't have this installed, then you won't be able to run Qmail-Scanner, which means that you can't use ClamAV.

Before you install Qmail-Scanner, you need to install ClamAV. However, it
should be noted that Qmail-Scanner supports a wide range of antivirus software
and that you do not need to use ClamAV. It seems that, at the time of this
writing, the ClamAV site is down; however, I was able to find Debian packages
without any problems. A quick search on Google turned up RPM packages as
well.

After you have verified that everything is ready to go, download and untar
Qmail-Scanner.

The first ./configure is to verify that Qmail-Scanner finds your antivirus
software, while the second one actually installs the software. Once you have
the software installed, you need to tell Qmail to use it. This requires editing
your TCP server rules. On Debian, this file is /etc/tcp.smtp, but
it may be /etc/tcpserver/smtp.rules on other systems. It should look
something like the following:

:allow,QMAILQUEUE="/usr/sbin/qmail-scanner-queue.pl"

After you have edited the file you will need to rebuild your
SMTP access database with the following command:

For more information on relaying, you will definitely want to check out Life with Qmail's relaying section. If you compiled Qmail with the SMTP-AUTH patch, then you will not have to worry about this, because each time a user sends an email his
MUA will send authentication as well.

You will need to restart Qmail now. After you have restarted Qmail, send
yourself a test message. You should see the following in your headers:

That's it! Now all incoming and outgoing mail will be scanned for viruses.
You may optionally choose to have Qmail-Scanner invoke SpamAssassin as well.
I didn't do this because I wanted control over what happened to the spam
after it was detected.

Conclusion

If you've followed this entire series, you should have a mail server that
supports IMAP and POP3, as well as a web front end. Not only that, but you have
virtual domains and a web interface to manage users (if you installed
qmailadmin). To make things better, all incoming email is scanned for spam and
viruses.

Sometimes it's not easy to integrate open source solutions into a large
system that addresses all of your needs, but I think the mail server outlined in these articles
covers just about everything.

Joe Stump
is the Lead Architect for Digg where
he spends his time partitioning data, creating internal services, and
ensuring the code frameworks are in working order.